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Abstract. We show that the classical Pollard p algorithm for discrete 
logarithms produces a collision in expected time 0(^/n(log n) 3 ). This 
is the first nontrivial rigorous estimate for the collision probability for 
the unaltered Pollard p graph, and is close to the conjectured optimal 
bound of 0(y / n). The result is derived by showing that the mixing time 
for the random walk on this graph is 0((logn) 3 ); without the squaring 
step in the Pollard p algorithm, the mixing time would be exponential 
in logn. The technique involves a spectral analysis of directed graphs, 
which captures the effect of the squaring step. 

Keywords: Pollard Rho algorithm, discrete logarithm, random walk, ex- 
pander graph, collision time, mixing time, spectral analysis. 



1 Introduction 



Given a finite cyclic group G of order n and a generator g, the 
Discrete Logarithm Problem (dlog) asks to invert the map y i— > 
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g y from Z/nZ to G. Its presumed difficulty serves as the basis for 
several cryptosystems, most notably the Diffie-Hellman key exchange 
and some elliptic curve cryptosystems. Up to constant factors, the 
Pollard p algorithm is the most efficient and the only version with 
small memory known for solving DLOG on a general cyclic group - 
in particular for the group of points of an elliptic curve over a finite 
field. 

We quickly recall the algorithm now. First one randomly parti- 
tions G into three sets Si, S 2 , and S 3 . Set x = h, or more generally to 
a random power g T1 h T2 . Given Xk, let Xk+i = f(xk), where / : G — » G 
is defined by 



Repeat until a collision of values of the {x^} is detected (this is done 
using Floyd's method of comparing Xk to x 2 k, which has the advan- 
tage of requiring minimal storage). We call the underlying directed 
graph in the above algorithm (whose vertices are the elements of G, 
and whose edges connect each vertex x to gx, hx, and the 
Pollard p Graph. At each stage Xk may be written as g ak y +bk , where 
h = g y . The equality of Xk and xi means a k y + bk = a^y + be, and 
solving for y (if possible) recovers the DLOG of h = g y . 

The above algorithm heuristically mimics a random walk. Were 
that indeed the collision would be found in time 0(\/n), where 

n is the order of the group G. (The actual constant is more subtle; 
indeed, Teske ^3] has given evidence that the walk is somewhat 
worse than random.) 

The main result of this paper is the first rigorous nontrivial upper 
bound on the collision time. It is slightly worse than the conjectured 
0(y/n), in that its runtime is 0(\/n), i.e. off from 0{\/n) by at most 
a polynomial factor in logn. As is standard and without any loss of 
generality, we tacitly make the following 



Theorem 1.1. Fix e > 0. Then the Pollard p algorithm for discrete 
logarithms on G finds a collision in time £ (^/n (logn) 3 ) with prob- 
ability at least 1 — e, "where the probability is taken over all partitions 
of G into three sets S\, S 2 , and S3. 




(1.1) 



assumption: the order \G\ = n is prime. 



(1.2) 
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In the black-box group model (i.e. one which does not exploit 
any special properties of the encoding of group elements), a theorem 
of Shoup [TT] states that any DLOG algorithm needs Q(y/n) steps. 
Hence, aside from the probabilistic nature of the above algorithm and 
the extra factor of (logn) 3 , the estimate of Theorem II .11 is sharp. 

It should be noted that finding a collision does not necessarily 
imply finding a solution to DLOG; one must also show the result- 
ing linear equation is nondegenerate. Since n — \G\ is prime this 
is believed to happen with overwhelming probability, much more so 
than for the above task of finding a collision in 0(^Jn) time. This 
was shown for a variant of the Pollard p algorithm in JQj. but the 
method there does not apply to the original algorithm itself. Using 
more refined techniques we are able to analyze this question further; 
the results of these investigations will be reported upon elsewhere. 

This paper is the first analysis of the unmodified Pollard p Graph, 
including the fact that it is directed. One can obtain the required 
rapid mixing result for directed graphs by (a) assuming that rapid 
mixing holds for the undirected version, and (b) adding self-loops to 
each vertex. However, one still needs to prove (a), which in our situ- 
ation is no simpler. In addition, the loops and loss of direction cause 
short cycles, which lead to awkward complications in the context of 
studying collisions. 

Technically, analyzing directed graphs from a spectral point of 
view has the well known difficulty that a spectral gap is not equiv- 
alent to rapid mixing. A natural generalization of the spectral gap 
is the operator norm gap of the adjacency matrix, which suffices for 
our purposes (see Section^. For a recent survey of mixing times on 
directed graphs, see p. 

The Pollard p graph is very similar to the graphs introduced 
by the authors in [SJ. These graphs, which are related to expander 
graphs, also connect group elements x to f(x) via the operations 
given in (jl.lj) - in particular they combine the operations of multi- 
plication and squaring. The key estimate, a spectral bound on the 
adjacency operator on this graph, is used to show its random walks 
are rapidly mixing. Though the Pollard p walk is only pseudoran- 
dom (i.e., is determined completely from Xk by its membership 
in Si, S 2 , or S3), we are solely interested here in proving that it 
has a collision. The notions of random walk and pseudorandom walk 
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(with random assignments of vertices in the sets Si) coincide until a 
collision occurs. 

1.1 Earlier Works 

Previous experimental and theoretical studies of the Pollard p algo- 
rithm and its generalizations all came to the (unproven) conclusion 
that it runs in 0(y/n) time; this is in fact the basis for estimating the 
relative bit-for-bit security of elliptic curve cryptosystems compared 
to others, e.g. RSA. For an analysis of DLOG algorithms we refer the 
reader to the survey by Teske [H|, and for an analysis of random 
walks on abelian groups, to the one by Hildebrand [3]. For the re- 
lated Pollard p algorithm for factoring integers, Bach [I] improved 
the trivial bound of 0(n) by logarithmic factors. 

An important statistic of the involved graphs is the mixing time r, 
which loosely speaking is the amount of time needed for the random 
walk to converge to the uniform distribution, when started at an 
arbitrary node. 1 The existing approaches to modeling Pollard p can 
be grouped into two categories: 

1. Birthday attack in a totally random model: each step is viewed 
as a move to a random group element, i.e. a completely random 
walk. In particular one assumes that the underlying graph has 
mixing time r = 1 and that its degree equals the group size; in 
reality the actual Pollard p graph has degree only 3. The 0(y/n) 
collision time is immediate for random walks of this sort. 

2. Random walk in an augmented graph: The Pollard p graph is 
modified by increasing the number of generators k, but remov- 
ing the squaring step. One then models the above transitions as 
random walks on directed abelian Cayley graphs. To ensure the 
mixing time is r = 0(log|G|), however, the graph degree must 
grow at least logarithmically in \G\. The importance of r stems 
from the fact that, typically, one incurs a overhead of multiplica- 
tive factor of r const in the overall algorithm. 

1 There are many inequivalent notions of mixing time (see |7|). Mixing time is only 
mentioned for purposes of rough comparison between different graphs; whatever we 
need about it is proved directly. Similarly, the reader need not recall any facts about 
expander graphs, which are mentioned only for motivation. 
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Teske ^3], based on Hildebrand's results [3] on random walks 
on the cyclic group Z/mZ with respect to steps of the form x i— ► 
x + ai, i < k, shows that the mixing time of an algorithm of the 

2 

second type is on the order of n*- 1 ; she gives supporting numerics 
of random behavior for k large. In particular, without the squaring 
step the Pollard p walk would have mixing time on the order of n 2 , 
well beyond the expected 0(y/n) collision time. This operation is an 
intriguing and cryptographically 2 important aspect of the Pollard p 
algorithm, and makes it inherently non-abelian: the Pollard p graphs 
are not isomorphic to any abelian Cayley graphs. Its effect cannot 
be accounted for by any analysis which studies only the additive 
structure of Z/mZ. 

The present paper indeed analyzes the exact underlying Pollard p 
graph, without any modifications. We are able to show that the inclu- 
sion of the squaring step reduces the mixing time r from exponential 
in logn, to 0((logn) 3 ) — see the remark following Proposition 13.21 

Our result and technique below easily generalize from the unmod- 
ified Pollard p algorithm, which has only 2 non-squaring operations, 
to the generalized algorithms proposed by Teske ^3] which involve 
adding further such operations. Furthermore, it also applies more 
generally to additional powers other than squares. We omit the de- 
tails, since the case of interest is in fact the most difficult, but have 
included a sketch of the argument at the end of the paper. 

2 Rapid mixing on directed graphs 

In the next two sections we will describe some results in graph the- 
ory which are needed for the proof of Theorem 11.11 Some of this 
material is analogous to known results for undirected graphs (see, 
for example, 0); however, since the literature on spectral analytic 
aspects of directed graphs is relatively scarce, we have decided to 
give full proofs for completeness. 

The three properties of subset expansion, spectral gap, and rapid 
mixing are all equivalent for families of undirected graphs with fixed 

2 In this version one can derive a secure hash function whose security is based on 
the difficulty of the discrete logarithm problem; here the input describes the path 
taken in the graph from a fixed node, and the hash value is the end point. 
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degree. This equivalence, however, fails for directed graphs. Although 
a result of Fill 3J allows one to deduce rapid mixing on directed 
graphs from undirected analogs, it involves adding self-loops (which 
the Pollard p graph does not have) and some additional overhead. 
In any event, it requires proving an estimate about the spectrum of 
the undirected graph. We are able to use the inequality [HI (A. 10)], 
which came up in studying related undirected graphs, in order to give 
a bound on the operator norm of the directed graphs. This bound, 
combined with Lemma [2.H gives an estimate of r = 0((logn) 3 ) for 
the mixing time of the Pollard p graph. 

Let r denote a graph with a finite set of vertices V and edges E. 
Our graphs will be directed graphs, meaning that each edge has an 
orientation; an edge from v\ to vi will be denoted by v i — *■ V2- Assume 
that r has degree k, in other words that each vertex has exactly k 
edges coming in and k edges coming out of it. The adjacency operator 
A acts on L 2 (V) = {/ : V — > C} by summing over these k neighbors: 

(Af)(v) = £/(«;). (2.1) 

v—*w 

Clearly constant functions, such as l(v) = 1, are eigenfunctions of A 
with eigenvalue k. Accordingly, 1 is termed the trivial eigenfunction 
and k the trivial eigenvalue of A. Representing A as a \V\ x \V\ 
matrix, we see it has exactly k ones in each row and column, with all 
other entries equal to zero. It follows that 1 is also an eigenfunction 
with eigenvalue k of the adjoint operator A* 

(A*f)(v) = £/(«;), (2.2) 

W—rV 

and that all eigenvalues A of A or A* satisfy the bound |A| < k. 

The subject of expander graphs is concerned with bounding the 
(undirected) adjacency operator's restriction to the subspace L = 
{/ G L 2 (V) | / _L 1}, i.e. the orthogonal complement of the constant 
functions under the L 2 -inner product. This is customarily done by 
bounding the nontrivial eigenvalues away from k. However, since 
the adjacency operator A of a directed graph might not be self- 
adjoint, the operator norm can sometimes be a more useful quantity 
to study. We next state a lemma relating it to the rapid mixing of 
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the random walk. To put the statement into perspective, consider 
the k r random walks on r of length r starting from any fixed vertex. 
One expects a uniformly distributed walk to land in any fixed subset 
S with probability roughly The lemma gives a condition on the 

operator norm for this probability to in fact lie between and ||^| 
for moderately large values of r. This can alternatively be thought 
of as giving an upper bound on the mixing time. 

Lemma 2.1. Let r denote a directed graph of degree k onn vertices. 
Suppose that there exists a constant fi < k such that \\Af\\ < 
for all f G L 2 {V) such that f _L 1. Let S be an arbitrary subset of 
V . Then the number of paths of length r > i°^J^ which start from 
any given vertex and end in S is between \k r )^ and \k r ^. 

Proof. Let y denote an arbitrary vertex in V, and xs and X{y} t ne 
characteristic functions of S and {y}, respectively. The number of 
paths of length r starting at y and ending in S is exactly the L 2 (V)- 
inner product (xs, A r X{ y })- Write 

\S\ , 1 

Xs = — t + w and X{y} = -1 + u, (2.3) 
n n 

where w,u _L 1. Because 1 is an eigenfunction of A*, A preserves 
the orthogonal complement of 1, and thus 

\\A r u\\ < nWA^uW < ■■■ < fi r \\u\\. (2.4) 

Also, by orthogonality 

Ml < llxsll = V^" and ||u|| < || XW || = 1. (2.5) 

We have that A r X{ y } = j l k r l + A r u, so the inner product may be 
calculated as 

(Xs,A r X{y} }= l -^k r + (w,A r u). (2.6) 
n 

It now suffices to show that the absolute value of the second term 
on the righthand side is bounded by half of the first term. Indeed, 



(w,A r u)\ < \\w\\ \\A r u\\ < n r y/\S\, (2-7) 
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and 

l* r V\S\ < ^k r ^\S\ < -Afi^i (2.8) 

2n In 

when r > gggy. □ 



3 Collisions on the Pollard p graph 

In this section, we prove an operator norm bound on the Pollard p 
graph that is later used in conjunction with Lemma l2~Tl These graphs 
are closely related to an undirected graph studied in [HI Theorem 4.1]. 
We will start by quoting a special case of the key estimate of that 
paper, which concerns quadratic forms. At first glance, the analysis 
is reminiscent of the of the Hilbert inequality from analytic number 
theory (see [HUES), but where the quadratic form coefficients are 
expressed as 1/ sin(//j — 

Let n be an odd integer and = | cos(7rfc/n)| for k G Z/nZ. 
Consider the quadratic form Q : M n_1 — > R given by 

n-1 

Q(x u . . . ,x n _i) := 5Zx fc x 2fc A fc , (3.1) 

k = l 

in which the subscripts are interpreted modulo n. 

Proposition 3.1. There exists an absolute constant c > such that 

(v n-1 
1 - 7i yOl>fc- ( 3 - 2 ) 
(logn)V t^i 

Proof. Let jk be arbitrary positive quantities (which will be specified 
later in the proof). Since 

lkX 2 k + % x x\ k ± 2x k x 2k = (ll l2 Xk ± lk 1/2 x 2k ) > 0, (3.3) 
one has that 

^ n— 1 

\Q(x)\ < -J2{lkX 2 k + 7 fc _1 40 A fc 

k = l 



k = l 

(3.4) 



S 
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where 2 denotes the multiplicative inverse to 2 modulo n. The propo- 
sition follows if we can choose 7^ and an absolute constant c > such 
that 



v 2k 



< 



(logn) ; 



for all 1 < k < n. (3.5) 



Now we come to the definition of the 7^. We set 7/. = 1 for 
n/4 < k < 3n/4; the definition for the set of other nonzero indices 
S is more involved. For s > 0, define 

d 



(logn) 2 ' 

where d > is a small constant that is chosen at the end of the 
proof. Given an integer £ in the range —n/4 < £ < n/4, we define 
u(£) to be order to which 2 divides I. For the residues k e S, which 
are all equivalent modulo n to some integer I in the interval —n/4 < 
£ < n/4, we define 7^ = t u ^y Note also that < l/\/2 for k ^ S, 
and is always < 1. With these choices the lefthand side of (|3.5|) is 
bounded by 



Ik^k + To*- 1 ^ 



< 



75 + 75' 

7fc + 75 , k e S, 2k S 



Tfc + T 



-1 

2fc ' 



fc, 2A; G 5. 



(3.6) 



In the last case, the residues k and 2k both lie in 5. The integer 
£ = 2k (mod n), —n/4 < £ < n/4, of course satisfies the congruence 
2£ = k (mod n.). Since k E S, 2£ is the unique integer in (—n/4, n/4) 
congruent to k. That means 7^ = i s+ i and 73^ = t s for some positive 
integer s = O(logra). A bound for the last case in ()3.6|) is therefore 
t s+ \ + t^ 1 = 2 — d/(\ogn) 2 + 0(s 2 d 2 /(logn) 4 ). We conclude in each 
of the four cases that, for d sufficiently small, there exists a positive 
constant c > such that (|3.5|) holds. □ 



The Pollard p graph, introduced earlier, is the graph on Z/nZ 
whose edges represent the possibilities involved in applying the iter- 
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ating function ([1.1)1 : 

r has vertices V = Z/nZ and directed edges x—*x + l,x—*x + y, 
and x — > 2x for each x G V (where y ^ 1) . 

(3.7) 

Proposition 3.2. Lei A denote the adjacency operator of the graph 
\3. 7| ) and assume that n is prime. Then there exists an absolute 
constant c > siic/j £/ia£ 

HAfll < f 3 -7f^) H/ll ( 3 - 8 ) 
V (logn)V 

for all f G L 2 (V) such that f _L 1. 

Proof. Let Xfc : Z/nZ — > C denote the additive character given by 
Xfc(^) — e 2mkx l n . These characters, for 1 < k < n, form a basis of 
functions Lq = {/ G L 2 | / _L 1}. The action of A on this basis is 
given by 

A X k = d kXk + X2k , where d k = e^ ik ' n + e 2 ^" . (3.9) 

One has that |c4| = 2| cos( 7rfc ^~ 1 ' > )| = 2Afc( J/ _i). Using the inner 
product relation 

<* fc '^> = {o\ otherwise, (3 - 10) 
we compute that ||/|| 2 = |cfc| 2 , where / = X^o Cfc ^ fc - Likewise, 

\\Af\\ 2 = (Af,Af) = 
^2 c k c~i [{d k Xk, dexe) + (X2k, Xu) + (dkXk, Xu) + (X2k, dtxi)] 

< ^(5^|c fc | 2 + 2^|c fc ||c 2fc ||d 2fc |). (3.11) 

Note that \d k \ = 2Xy v -i), and that y—1 and 2 are invertible in Z/nZ, 
by assumption in (|3.7j) . The result now follows from (|3.2j) with the 
choice of x 2 ( y -i)k = \ck\- 

□ 
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Remark: the above Proposition, in combination with Lemma 12.11 
is the source of the r = 0((\ogn) 3 ) mixing time estimate for the 
Pollard p graph that we mentioned in the introduction. 

Proof (of Theorem 1 1.1)) . Consider the set S of the first t = [v^J 
iterates X\, x%, . . . , Xf. We may assume that \S\ = t, for otherwise 
a collision has already occurred in the first \fn steps. Lemma 12.11 
and Proposition 13.21 show that the probability of a walk of length 
r ^> (logra) 3 reaching S from any fixed vertex is at least l/(2^/n). 
Thus the probabilities that x t+r , x t+ 2r, %t+3r, ■ ■ ■ ? x t+kr he in S are 
all, independently, at least l/(3t). One concludes that for k on the 
order of 3bt, b fixed, the probability that none of these points lies in 
5* is at most (1 — ^) 3b< ~ e~ b , which is less than e for large values of 
b. 

Generalizations: the analysis presented here extends to generalized 
Pollard p graphs in which each vertex x is connected to others of the 
form xgi, for various group elements gi, along with powers x rj . This 
can be done as follows. First of all, if r-th powers are to be used 
instead of squares, then the subscript 2k in (j3.1|) must be changed 
to rk. The key bound on ()3.2j) . stated here for r = 2, in fact holds for 
any fixed integer r > 1 which is relatively prime to n [HI Appendix]. 
Thus changing the squaring step to x — > x r does not change the end 
results. Secondly, the proof of the bound (|3.8j) requires only some 
cancellation in ()3.11|) . If additional operations are added, the cross 
terms from which the cancellation was derived here are still present. 
Thus Proposition 13.21 is remains valid, only with the 3 replaced by 
the degree of the graph. Provided this degree (= the total number 
of operations) is fixed, the graph still has rapid mixing. 

It is unclear if including extra power operations speeds up the 
discrete logarithm algorithm. However, the rapid mixing of such ran- 
dom walks may have additional applications, such as to the stream 
ciphers in jH]. 

Acknowledgements: the authors wish to thank R. Balasubrama- 
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